Azure VPN Device Tunnel

Hi @ Petrus Croes,

Welcome to Microsoft Q&A Platform.

You’re correct that for an Always On VPN device tunnel (which uses IKEv2 + machine certificate auth), the Azure VPN Gateway will perform a CRL check against the distribution points embedded in your issuing CA cert. If those URLs aren’t publicly reachable by the gateway, authentication will fail rasdial simply reports a generic auth error.

Is hosting a publicly reachable CRL really necessary?

Yes. When you use certificate-based authentication, Azure VPN Gateway must retrieve and validate the CRL from the CDP URLs in your CA certificate. If you don’t expose a publicly accessible CRL (for example, via an Azure Storage static website URL), the gateway can’t verify certificate revocation status and will refuse the tunnel.

Common causes for certificate-based auth failures on device tunnels:

• CRL distribution points aren’t reachable (DNS/firewall/networking issues).
• Certificates (root, intermediate, client) aren’t correctly installed in the Local Machine store.
• Client cert missing the Client Authentication EKU or wrong certificate template.
• Root/intermediate CA certs not uploaded to the VPN gateway’s point-to-site config.
• Mismatched subject name or SAN on the client cert vs. what you configured on the gateway.
• VPN profile deployed under the wrong context (needs to run as LOCAL SYSTEM via PsExec).
• UDP ports 500/4500 blocked on your network or your public IP address.

Troubleshooting steps you can run right now:

• From the VPN Gateway resource in the portal, run the “VPN diagnostics” blade to capture IKE logs (symptomId=IkeLogsVpnRcaInsights).
• On the client, manually invoke rasdial using the device tunnel profile to see more detailed errors.
• Test HTTP(s) reachability from a VM or from Azure Cloud Shell to your CRL URL.
• Double-check your certificate chain in MMC (Local Machine → Certificates → “Trusted Root” and “Intermediate CAs”).

Reference : Configure an Always On VPN device tunnel & Point-to-site certificate-based authentication overview &
VPN Gateway diagnostics for IKE and site-to-site issues

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

For an Always On VPN device tunnel to Azure, certificate-based authentication must succeed end to end, including certificate revocation checking. If the CRL distribution point (CDP) in the client certificate cannot be reached from Azure VPN Gateway, authentication can fail even when the certificate itself looks correct. So ensuring that the CRL is reachable to Azure (for example via a public/static endpoint) is effectively required when using a CA that publishes CRLs.

Key points from the documented requirements and typical failure causes:

1. Mandatory prerequisites for device tunnel

• Device tunnel supports only IKEv2 with computer certificate authentication.
• The device must be domain-joined and running Windows 10 Enterprise/Education 1809+ (1709+ for generic device tunnel feature).
• Only one device tunnel per device is supported.
• The client certificate used for device tunnel must be installed in the Local Machine store on the Windows 10 or later client, using the point-to-site VPN client method.
• The VPN gateway must be configured for IKEv2 and certificate-based authentication using the Point-to-Site configuration.

If any of these are not met, the device tunnel will fail to authenticate regardless of CRL configuration.

2. Why user tunnels can work while device tunnels fail

• User tunnels use certificates in the current user store and can use SSTP or IKEv2, while device tunnels are IKEv2-only and use machine certificates.
• Device tunnels require the machine certificate to be valid and trusted for machine authentication, and the gateway must accept that root CA for machine auth.
• Misalignment between the CA used for user certificates and the CA configured for machine certificate auth on the gateway can cause device tunnel failures while user tunnels still work.

3. Common causes of device tunnel authentication failures From the documented configuration steps and constraints, the most frequent issues are:

• Certificate placement and type
  • Machine certificate not in Local Machine store (installed only in user store).
  • Wrong certificate type (user certificate used instead of computer certificate).
  • Missing or incorrect root CA on the gateway side for machine certificate authentication.
• OS and device requirements
  • Device not domain-joined.
  • Windows edition not Enterprise/Education or version below the required minimum.
• Protocol and tunnel configuration
  • Device tunnel not configured as IKEv2 with certificate auth.
  • Attempting to use SSTP or force-tunnel with device tunnel (device tunnel supports IKEv2 only and must be split tunnel).
  • More than one device tunnel profile configured on the same device.
• Profile deployment context
  • Device tunnel profile not created in the LOCAL SYSTEM context (for example, created under a user context instead of using PsExec or an MDM solution as documented).

4. CRL/Revocation specifics While the provided context does not explicitly describe CRL publishing scenarios, it does require:

• A trusted root certification authority for authenticating incoming VPN connections.
• Proper machine certificate authentication configuration on the gateway using that root CA.

In practice, for Azure VPN Gateway to validate certificates, it must be able to perform revocation checking against the CA’s CRL/OCSP endpoints. If those endpoints are not reachable from Azure, certificate validation can fail at the IKEv2 authentication stage. Publishing the CRL to a location that Azure can reach (for example, a public/static endpoint) is therefore a common and necessary step when using a private CA whose default CRL endpoints are not Internet-accessible.

5. Recommended validation steps for device tunnel Based on the documented configuration flow:
6. Verify gateway configuration
   • Confirm the VPN gateway is configured for IKEv2 and certificate-based Point-to-Site VPN.
7. Verify machine certificate chain
   • Ensure the machine certificate is in LocalMachine\My and chains to a root CA that is configured on the gateway for machine auth.
8. Verify device tunnel profile creation
   • Use PsExec to open PowerShell in LOCAL SYSTEM context and run the provided devicecert.ps1 script with the VPNProfile.xml to create the device tunnel profile.
   • Confirm the profile appears (for example via rasphone) with the expected name.
9. Test connection
   • Use rasphone to initiate the MachineCertTest (or equivalent) connection and confirm it succeeds, then reboot to verify Always On behavior.

If user tunnels work but device tunnels fail, focus on:

• Machine vs user certificate stores and types.
• Gateway root CA configuration for machine auth.
• Device tunnel OS/edition/domain-join requirements.
• Profile creation under LOCAL SYSTEM.
• Reachability of the CA’s revocation endpoints from Azure (which is where CRL publishing to an accessible location becomes necessary).

References:

• Configure an Always On VPN device tunnel
• Configure VPN device tunnels in Windows client
• Configure an Always On VPN user tunnel
• Configure an Always On VPN device tunnel for Virtual WAN
• Configure an Always On VPN user tunnel for Virtual WAN